Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 23:25, 15 January 2016
, 15 January 2016Added resource loading over HTTPS
(err, fix ordering) |
(Added resource loading over HTTPS) |
||
| Line 45: | Line 45: | ||
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]] | * [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]] | ||
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility | * [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility | ||
| Line 125: | Line 126: | ||
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning] | * [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning] | ||
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins | * [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins | ||
== Resource Loading == | |||
All resources — whether on the same origin or not — should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and “mixed content” warnings. Loading passive content such as images insecurely, although less risky, can still lead to degraded UIs and allow active attackers to deface websites and can lead to phishing attacks. | |||
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment. | |||
=== Examples === | |||
<pre><!-- HTTPS is a fantastic way to load a JavaScript resource --> | |||
<script src="https://code.jquery.com/jquery-1.12.0.min.js"></script></pre> | |||
<pre><!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --> | |||
<script src="https://code.jquery.com/jquery-1.12.0.min.js"></script></pre> | |||
<pre><!-- Although passive content won't be blocked, it will still generate mixed content warnings --> | |||
<img src="http://very.badssl.com/image.jpg"></pre> | |||
=== See Also === | |||
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content] | |||
| Line 489: | Line 512: | ||
| style="text-align: center;" | P1 | | style="text-align: center;" | P1 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 3 | ||
| Mandatory | | Mandatory | ||
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | | Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | ||
|- style="background-color: #9EDB58;" | |||
| style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]] | |||
| style="text-align: center;" | P1 | |||
| style="text-align: center;" | Easy | |||
| style="text-align: center;" | 2 | |||
| Mandatory for all websites | |||
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS | |||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | | style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | ||
| style="text-align: center;" | P1 | | style="text-align: center;" | P1 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 4 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Minimum allowed time period of six months | | Minimum allowed time period of six months | ||
| Line 503: | Line 533: | ||
| style="text-align: center;" | P2 | | style="text-align: center;" | P2 | ||
| style="text-align: center;" | High | | style="text-align: center;" | High | ||
| style="text-align: center;" | | | style="text-align: center;" | 10 | ||
| Mandatory for new websites<br>Recommended for existing websites | | Mandatory for new websites<br>Recommended for existing websites | ||
| Disabling inline script is the greatest concern for CSP implementation | | Disabling inline script is the greatest concern for CSP implementation | ||
| Line 510: | Line 540: | ||
| style="text-align: center;" | P3 | | style="text-align: center;" | P3 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 7 | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| All cookies must be set with the Secure flag, and set as restrictively as possible | | All cookies must be set with the Secure flag, and set as restrictively as possible | ||
| Line 517: | Line 547: | ||
| style="text-align: center;" | P4 | | style="text-align: center;" | P4 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 9 | ||
| Mandatory for all new websites<br>Recommended for existing sites | | Mandatory for all new websites<br>Recommended for existing sites | ||
| Websites should serve contribute.json and keep contact information up-to-date | | Websites should serve contribute.json and keep contact information up-to-date | ||
| Line 524: | Line 554: | ||
| style="text-align: center;" | P3 | | style="text-align: center;" | P3 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 11 | ||
| Mandatory | | Mandatory | ||
| Origin sharing headers and files should not be present, except for specific use cases | | Origin sharing headers and files should not be present, except for specific use cases | ||
| Line 531: | Line 561: | ||
| style="text-align: center;" | P2 | | style="text-align: center;" | P2 | ||
| style="text-align: center;" | Varies | | style="text-align: center;" | Varies | ||
| style="text-align: center;" | | | style="text-align: center;" | 5 | ||
| Varies | | Varies | ||
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation | | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation | ||
| Line 538: | Line 568: | ||
| style="text-align: center;" | P5 | | style="text-align: center;" | P5 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 13 | ||
| Optional | | Optional | ||
| Websites that implement robots.txt must use it only for noted purposes | | Websites that implement robots.txt must use it only for noted purposes | ||
| Line 545: | Line 575: | ||
| style="text-align: center;" | P5 | | style="text-align: center;" | P5 | ||
| style="text-align: center;" | Moderate | | style="text-align: center;" | Moderate | ||
| style="text-align: center;" | | | style="text-align: center;" | 14 | ||
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> | | Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> | ||
| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> Only for websites that load JavaScript or stylesheets from non-Mozilla sources | | <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> Only for websites that load JavaScript or stylesheets from non-Mozilla sources | ||
| Line 552: | Line 582: | ||
| style="text-align: center;" | P3 | | style="text-align: center;" | P3 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 8 | ||
| Recommended for all websites | | Recommended for all websites | ||
| Websites should verify that they are setting the proper MIME types for all resources | | Websites should verify that they are setting the proper MIME types for all resources | ||
| Line 559: | Line 589: | ||
| style="text-align: center;" | P2 | | style="text-align: center;" | P2 | ||
| style="text-align: center;" | Easy | | style="text-align: center;" | Easy | ||
| style="text-align: center;" | | | style="text-align: center;" | 6 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | | Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | ||
| Line 566: | Line 596: | ||
| style="text-align: center;" | P4 | | style="text-align: center;" | P4 | ||
| style="text-align: center;" | Moderate | | style="text-align: center;" | Moderate | ||
| style="text-align: center;" | | | style="text-align: center;" | 12 | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| Manual testing should be done for existing websites, prior to implementation | | Manual testing should be done for existing websites, prior to implementation | ||